Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Dealing With User Resignation From an IT Perspective?

Posted by timothy on from the here-is-your-read-only-cardboard-box dept.

New submitter recaptcha writes Today one of my fellow workers has announced he has found another job and will be leaving our company in two weeks' time. This is all above board and there is no disgruntled employee scenario here; he is simply working through his notice period and finishing up some jobs. I have already set some fileserver folders to Read-Only for him and taken a backup of his mailbox in case he empties it on the last day. Which best practices do you follow that will prevent a resigning user from causing any damage (deliberately or not) in these last days of employment before his account is disabled?

27 of 279 comments (clear)

  1. Why not let him know what to do by misosoup7 · · Score: 4, Insightful

    If he is not a disgruntled worker just work with him to set up expectations from the IT side of things. Do you expect him to turn his computer in? When? Should he delete files off? Yes/No? I think most people would be happy to work though an exit checklist and it would make you seem really organized. But if the employee has it in for you, then you may want to do more than that. But it looks like you've already made back ups of things that you think may be important. In any case, I would formulate a standard policy for people leaving the firm. So that they have clear expectations on what needs to be done on the IT side of things.

    1. Re:Why not let him know what to do by BarbaraHudson · · Score: 4, Insightful

      If he wanted to screw with stuff, the seeds are already planted and will go off after he's gone. And if he hasn't wanted to screw up stuff, don't give him a reason to regret that decision by treating him in a dick way.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  2. Why? by ledow · · Score: 2, Insightful

    You have fucking backups right?

    What's he going to remove from your access that's critical to you, under that scenario?

    Don't bother with all that shit, and if you think he may do something malicious (e.g. send out inappropriate emails, steal the customer database, etc.) then shut him off now and pay him to "work" his last few days out at home.

    But putting fileservers on read-only in case he does damage? That just tells me that you have no concept of data resiliency anyway.

    1. Re:Why? by Anonymous Coward · · Score: 4, Insightful

      Your comment would have been much more meaningful if you had been able to attempt to express yourself without the expletives. While I mostly agree with the content of your post, it loses credibility since you couldn't get a couple of sentences out without cursing. I am sure you are an intelligent person, but the expletives counter that idea.

    2. Re:Why? by bluefoxlucid · · Score: 4, Insightful

      Malware isn't as targeted as an individual, although I've seen financial records damaged and personal e-mails disseminated by malware. My stint at various companies, contractors, government positions, and private sector jobs has given me a lot of exposure to shit that goes wrong. Even when I had little technical power, I slowly identified ways to leverage the small access I needed, and to gain higher access; access control is idyllic, and information often leaks around a lot due to the need for certain things to be available.

      I used to administrate IDS systems and approve firewall requests. In this capacity, I had no ability to do any real damage: every system I interfaced with was handled by an agent, either to install my hardware, to set my network routes, to configure the firewalls, to route span traffic to me, or to shut off ports when I discovered dangerous behavior on the network. I could damage our IDS, but nothing else. By contrast, those administrators each had a massive amount of power: they could sniff network traffic, route it for man-in-the-middle attacks, leak any information they wanted; even I was able to regularly extract administrative network passwords from our traffic, since our IDS ran decryption through our internal certificates and showed me raw attack traffic. I couldn't see your personal gmail account, but I could see the plaintext of your ssh connection to a CISCO switch.

      I do work in network security; most mundanes who dabble figure that security is this rock-hard wall of protection, or it's wrong. They often forget the definition of information security, which includes confidentiality, integrity, and accessibility; it is the accessibility that people most forget, demanding confidentiality and integrity while refusing to sacrifice either where accessibility is impacted unacceptably. In my example with the IDS, the IDS must decrypt traffic to search for attacks which may compromise confidentiality or integrity, yet it also reveals passwords to a small group of people who may themselves compromise confidentiality or integrity by using these passwords; this is why HMAC was invented, but it is not always available within a protocol suite.

      --
      Support my political activism on Patreon.
    3. Re:Why? by bluefoxlucid · · Score: 3, Insightful

      Yes, and there are also key close-out tasks to cap off open projects to deliver to the next guy, or to transfer knowledge and move off responsibilities gracefully. Cutting off is a great strategy where the user is not unique, and a devastating one where he is training his replacement or in charge of things that rarely require attention; most often, it's somewhere in-between, and some careful decisions are required.

      --
      Support my political activism on Patreon.
    4. Re:Why? by serviscope_minor · · Score: 3, Insightful

      Hm good point.

      Might be best to have a hybrid strategy of some sort then. I, personally think it's dickish and stupid to freeze out an employee who resigns on good terms with the company: they're no less trustworthy after then before.

      So yeah, careful decisions are required. Probably best to play it by ear. It's almost certainly worth disabling his accounts and switching off his computers for at least one day just to see if anything breaks. They can always be re-enabled the next day.

      --
      SJW n. One who posts facts.
    5. Re:Why? by hatemonger · · Score: 4, Insightful

      Profanity is a crutch.

      Empty platitudes repeated by people who dislike profanity for the sake of feeling good about themselves. Profanity is one of many tools that people can use to express themselves, and it is completely unrelated the strength of the points being argued. The sun is fucking hot, the sky is damn blue, and shit like "profanity is the sign of a weak argument" is ignorant and fallacious.

  3. If he's sufficiently important... by benjfowler · · Score: 1, Insightful

    Gardening leave.

    No ifs, no buts. Give him his shit in a cardboard box, revoke his pass, get security to escort him out. Pay him to serve out his notice at home.

    1. Re:If he's sufficiently important... by ckatko · · Score: 5, Insightful

      If that's the case, don't be a dick about it. Instead of "Go work from home for the two weeks because we're afraid you're going to fuck us over." Say, "Enjoy the next two weeks of paid vacation on us as a parting gift. Best of luck on your career."

      Both accomplish the exact same thing, but one of them doesn't create dicks out of good employees. I mean what's the chance he's going to be productive those two weeks anyway?

  4. Don't be an asshole. by ZorinLynx · · Score: 5, Insightful

    I've known many people who have tendered resignation letters and are then immediately ostracized by the company, security follows them around everywhere, they're asked to leave the building immediately, etc....

    Don't do that. If this person wanted to cause damage, he would do so without announcing his resignation. Take some precautions, but don't treat him like an outsider. He's still an employee during his notice period; treat him like one.

    Remember, he's leaving somewhere where he spent a good 1/3rd of his life. Change is not easy, and paranoid asshole-ish behavior makes it 100x as hard. Plus, you want him to be an ally to your company in the future, and not a potential enemy.

    1. Re:Don't be an asshole. by new_01 · · Score: 5, Insightful

      Exactly. And the best pool of potential new hires are from previous employees who realize that the grass wasn't exactly greener on the other side. Previous employees already know your system and processes and can be back up and running within a week or two with minimal training. Why people would ostracize them is beyond me.

  5. The correct answer should be "none". by Jaywalk · · Score: 5, Insightful

    There should already be backups in place and security safeguards to keep such an employee -- as much as possible -- from causing harm. Employees leave all the time, planned or unplanned, willingly or not. Certainly you want to make sure all their uncompleted tasks are turned over to someone else, but preparations should have already been in place in case health problems or personal issues cause a sudden departure.

    --
    ===== Murphy's Law is recursive. =====
  6. Do it before they put in their notice. by grimmjeeper · · Score: 4, Insightful

    Every time I've known I was going to turn in my notice, I end up going through everything and cleaning out any personal stuff and clean up my mailbox before the letter ever gets put in. You never know if you'll be given the opportunity to do that once your notice is in. If there's anything that needs to be saved, it's a good idea to keep a rolling backup of it now on everyone. That way, when someone turns in their notice (whether everything is above board or not), you have everything you need and you're not scrambling to catch it before the employee deletes it.

  7. Re:Having security meet him at his desk by Count+Fenring · · Score: 5, Insightful

    And it's a terrible way to go about things.

    Treating exiting employees like criminals when there's no established reason to doesn't improve workplace security - it just means that the person outside your company with the most current stories about how you operate has a story about how you treated them badly.

    You should absolutely be able to revoke people's powers, etc, but that's an "after they've left" step. Any damage you think you're preventing, they've already had the opportunity to do.

  8. Re:2 weeks notice? Fuggedabouit by TheGratefulNet · · Score: 3, Insightful

    companies in the US no longer DESEVE 2 weeks notice. the rules are no longer valid; they won't give YOU notice. don't give them any courtesy they won't give you.

    there is no loyalty anymore, so why play old games that are no longer valid?

    you are a cog. you are just a worker.

    just leave on the say you give notice. business is business, tell them you need to do what's best for you and that means leaving today.

    they won't give you the same respect they 'expect' from you, so don't give it to them (anymore).

    sad that its like this, but IT IS. only newbies and fools have loyalty to companies, now.

    --

    --
    "It is now safe to switch off your computer."
  9. Re:Remove access ASAP by Princeofcups · · Score: 3, Insightful

    Removing access immediately is important for 2 reasons. The first is obviously security. Then 2nd is figuring out what he does & making sure somebody else has that access & knowledge.

    Beat me to it. When I saw "finishing up projects," that immediately raised a red flag. All projects should immediately be turned over to other staff, and the short termer can watch over their shoulders and answer any questions. It may make sense to let them keep email and IM during the time, and maybe even read-only to code to help look up issues. But that's about it.

    For me it's not about security of the company. It's security of the person leaving, so that they can't get blamed for breaking something during that time. But the most important thing is knowledge transfer. Two weeks is a very short time to document all the little things that were picked up during their tenure.

    My biggest complaint recently has been people leaving without proper knowledge transfer. Even after I emailed managers on that point, and was told to try to stop scheduling meetings with him. "He's too busy." Sigh. Now I'm left picking up the mess he left behind.

    --
    The only thing worse than a Democrat is a Republican.
  10. Start when you hire the person... by QuietLagoon · · Score: 4, Insightful
    Treat the person with respect from the time you hire him.

    .
    For example. Be transparent with any equipment lists that document what equipment are in the employee's possession. Share the list at least yearly with the employee so there are no surprises (and the resulting badness) if an employee leaves. There is little else that generates ill feelings than an out of date equipment list for an employee (what do you mean I have to turn in that laptop? I turned it in two years ago. What!?!?! You want me to pay for it? ... etc., etc.).

    Provide a great work environment so employees don't want to leave.

    Look at what you think concerns you when an employee leaves, and then think about what you should do while the person is an active employee to prevent your concerns from occurring.

    Don't solve the problem after it occurs, prevent it from occurring.

  11. Don't try to be a hero by mileshigh · · Score: 5, Insightful

    You have data backups & resiliency in place as a matter of policy, right?

    What's policy (probably HR's responsibility) for this scenario? That's what you do: follow policy, nothing more, nothing less. If there's no policy or procedure, then you do exactly that: nothing.

    Don't improvise. This is an HR issue. You have NO idea what legal or other policy minefields you're stepping into. There are only downsides for you.

  12. Why? by JustNiz · · Score: 4, Insightful

    Why are you suddenly panicking and treating him like an asshole now he has anounced his resignation?

    If he had ever had the intention to Do Bad Things(tm) why don't you think he also had the smarts to plan ahead and do it the day before he quit?

    And also.. backing up his email in case he deletes his inbox/sentbox? Are you serious? Why don't you require that this should be deleted when he leaves? Most people do that on leaving just for their own personal security purposes. In fact many compnaies specifically require existing employees to explicitly not keep emails beyond some period. His email may well legitimately include personal stuff such as from HR that he should reasonably expect to be kept private, i.e not archived potentially permanently for perusal by IT staff anytime later.

  13. Re:Delete stuff. by Em+Adespoton · · Score: 4, Insightful

    And beyond this... if it's on the company computer, it's on the company's time, and is the company's business. A lot of people forget this and use company systems for personal stuff, but it's still company data, and has been proven to be so in court.

    So yeah; back up everything now, and then provide a sanitized version for others to look through as need arises.

    The truth is, even if there's something critical in the backup, it's likely that nobody will ever know its there and so have reason to go looking for it. But CYA is always important for IT.

  14. We do ... absolutely nothing by enjar · · Score: 4, Insightful

    People start and leave jobs for a variety of reasons. Maybe their spouse got a giant promotion but had to move. Maybe their parents are ailing and they are moving closer to take care of them. Maybe they just want to do something new, or change careers. There's a multitude of perfectly rational and otherwise sane reasons people change jobs.

    Why are you even considering treating them like an asshole? If they have given their notice, they should be finishing things up. If there's a project they are working on that will not be completed, they should be working with who is going to take it over to transfer the knowledge. They should likely document anything they did that wasn't documented. So on and so forth. Maybe you go out of a good bye lunch or get a cake to wish them well in their new endeavor. But why treat them like an asshole? Who knows, maybe your firm will start going the wrong way and they will get you on at the new place.

    Once they are gone, then you should have a procedure to deactivate the account, delete files, shut off email, have inbound mail forwarded to their old manager, etc.

    If you DO think they are going to do stupid things, then they should have been fired a long time ago. But if they are just leaving with proper notice, you likely don't need to do anything special.

  15. Trust Him, or Don't by Jaime2 · · Score: 3, Insightful

    If you trust him, work through his last days as usual, just switch him to hand-over tasks instead of new work.

    If you don't trust him, walk him out now and revoke all access.

  16. Re:Having security meet him at his desk by Jax+Omen · · Score: 5, Insightful

    This. Last place I worked, I gave about 3 weeks notice (I said "x day is my last day" essentially) and emphasized in my resignation letter my full intent to continue to be as effective/useful to the company as I could for the full duration of my notice.

    A higher-up drove 45 minutes from the head office to greet me on the last day of my notice to thank me personally and shake my hand because HE HAD NEVER SEEN ANYONE ACTUALLY DO THIS BEFORE.

    EVERY SINGLE one of my coworkers saw this, mind you. I guarantee it made an impression, because they all couldn't stop talking about it the rest of the day.

    When an employee resigns on non-hostile terms, don't treat them badly, instead show them how much you value them. It sets a great example for the remaining employees, and boosts morale across the board.

    Shame that job paid so badly, I really liked the people there...

  17. Re:Delete stuff. by KeithJM · · Score: 3, Insightful

    I'm assuming he put that line about company time together because it rhymed nicely. But if you're using a work computer for personal stuff, even off-hours, expect your company to know about it. Most of the time that's probably fine. But if there is ever a need for your company to examine your laptop and they find cached images from objectionable late night searches, downloaded movies or music or anything of that nature, you might have to talk to HR to explain it. If those images are of children in compromising positions or something like that, your company will turn "your" laptop over to the police and fire you. Don't kid yourself that using company hardware outside of work hours means your company doesn't feel responsible for what you do.

    Likewise, if you resign, it's not your IT department's job to make sure your former teammates don't find out about your "My Little Pony" fan club. If you want to keep that secret from your work, don't use work hardware to do it.

  18. Re:Delete stuff. by Anonymous Coward · · Score: 2, Insightful

    Why would anyone aside from himself need access to his emails? If someone needed to see them, they would have been CCed on them.

    Not necessarily. I've seen the following scenarios time and again over my decades in the industry...

    Current emails: A lot of employees use their Inbox as a to-do list. They will email themselves things that they later turn into Notes, Calendar appointments and actual To-do items. There will often be lots of useful corporate knowledge locked up in an individual user's mailbox that, for whatever reason, they have not shared with other employees.

    Future emails: A lot of employees receive emails from automated systems. Think monitoring, fault reporting, certificate renewals, etc. Being able to view incoming emails for that account, or redirecting them to a shared infrastructure account, is often a prudent thing to do.

  19. Re:Having security meet him at his desk by Dan1701 · · Score: 4, Insightful

    I worked for a company like that for a while; complete and utter bastards to work for. What that sort of behaviour towards their employees got them was a complete lack of any loyalty whatsoever. Since they were also a bunch of idiots who never planned anything, and always bodged things to run until the next last minute bodge, then however motivated a saboteur might have been, it would have been rather difficult to think up any action which would show up against the background level of incompetence, malevolence and managerial stupidity.

    Most people simply got out of the door quickly, and took care never to work for them ever again, figuring that the company would come to an eventual bad end. It did, as things turned out, and the UK law would still like to have a long, comfortable chat with the company directors in the unlikely event of them ever setting foot in the EU again.

    My take on easter eggs and sabotage like this is simple: DON'T DO IT! You never know when you might need a reference or a job involving some of the people in that last job, and it helps to have maintained a professional aspect and outlook throughout whatever shenanigans led to your departure. People tend to appreciate that sort of thing, and it also gives you the moral (and legal) high ground subsequently. It also means that you're not forever after worrying about whether the law are after you for unspecified crimes, and if you're the worrying sort like myself, it helps not to give yourself anything much to worry about in future.